Today Howard Schmidt meets with Secretary of Commerce Gary Locke and Department of Homeland Security Secretary Janet Napolitano to discuss ideas for changing the economics of cybersecurity. Howard knows his stuff, and recognizes that this isn’t a technology problem, nor something that can be improved with some new security standard or checklist. Crime is a function of economics, and electronic crime is no exception.
I spend a lot of time thinking about these issues, and here are a few simple suggestions to get us started:
- Eliminate the use of Social Security Numbers as the primary identifier for our credit history and to financial accounts. Phase the change in over time. When the banks all scream, ask them how they do it in Europe and other regions.
- Enforce a shared-costs model for credit card brands. Right now, banks and merchants carry nearly all the financial costs associated with credit card fraud. Although PCI is helping, it doesn’t address the fundamental weaknesses of the current magnetic stripe based system. Having the card brands share in losses will increase their motivation to increase the pace of innovation for card security.
- Require banks to extend the window of protection for fraudulent transactions on consumer and business bank accounts. Rather than forcing some series of fraud detection or verification requirements, making them extend the window where consumers and businesses aren’t liable for losses will motivate them to make the structural changes themselves. For example, by requiring transaction confirmation for ACH transfers over a certain amount.
- Within the government, require agencies to pay for incident response costs associated with cybercrime at the business unit level, instead of allowing it to be a shared cost borne by IT and security. This will motivate individual units to better prioritize security, since the money will come out of their own budgets instead of being funded by IT, which doesn’t have operational control of business decisions.
Just a few quick ideas to get us started. All of them are focused on changing the economics, leaving the technical and process details to work themselves out.
There are two big gaps that aren’t addressed here:
- Critical infrastructure/SCADA: I think this is an area where we will need to require prescriptive controls (air gaps & virtual air gaps) in regulation, with penalties. Since that isn’t a pure economic incentive, I didn’t include it above.
- Corporate intellectual property: There isn’t much the government can do here, although companies can adopt the practice of having business units pay for incident response costs (no, I don’t think I’ll live to see that day).
Any other ideas?
Reader interactions
17 Replies to “Simple Ideas to Start Improving the Economics of Cybersecurity”
Rich,
You’re a smart guy and I have enjoyed reading your thoughts on security issues, however, I think that the government needs to keep their hands out of private sector business operations. Your suggestion that government should dictate which parts of a business should be responsible for paying fines, for corrective action and technology is a viewpoint which we need less of in the U.S., not more.
More government interference with business means higher costs of doing business and less control and freedom. That means more cost to the consumer and less freedom. The net result is slower economic growth, and, less freedom.
You should stick to offering your views on security technologies, business challenges to securing their systems and data, and stay far, far away from offering advice on what the government should do unless of course you are recommending that they keep their hands out of our pockets and stop trying to run private businesses and redistribute dollars through legislation.
No amount of Socialist governing will increase the security of your and my information, in fact, the opposite will likely be true in the end. Are the Socialists in Europe more secure? Nah, they aren’t. And our banks here in the United States of America are free to see what the banks in other countries are doing but we don’t need to model our financial and regulatory systems after those in Europe.
Remember when America was the Gold Standard for innovation, justice, liberty and freedom? Leftist policies would have that erased from history. Let’s focus on what our companies can do to be more secure without suggesting government legislative take-over through regulation and without saying “Hey, the Europeans are great! They’re more fair and better than us anyway. Let’s be just like them.”
Require public companies and government organizations (at the very least) to disclose within time lapse “T” the occurrence and nature of any security or privacy incident with an estimated financial impact above “X” dollars and to disclose the way the incident is being or was addressed.
BTW, the NRC and SEC already do this for other types of risk.
Have the FTC (or some other governmental organization) monitor this information and (maybe) provide a risk ranking, then provide financial incentives (tax or other) to organizations that have a good infosec risk standing and track record, penalize those that don’t.
Impose severe penalties to those organizations that fail to comply with the mandate to disclose incidents and their corresponding resolution.
The underlying idea is to prompt organizations to implement effective security practices and to show them off to get a competitive edge.
All stick and no carrot will not work
I love a lot of these ideas! Great work here.
A few comments:
“Eliminate the use of Social Security Numbers as the primary identifier for our credit history and to financial accounts”
The problem with SSNs is that they are not used as the primary identifier — only 7 or 8 digits are used — and they are NOT matched with the name of the person. The only things that must match are 8 of the 9 digits unless 2 are swapped (thus, only 7 digits would match exactly). Some of the first name must also match i.e. there must be 3 letters from the first name that match the 7 or 8 SSN digits. The capability of identity-theft abuse with a handful of SSNs allows literally tons of new identities and credit histories to be formed. After about 6 months, these identities are eligible for more advanced transactions, and after 1 year they are available for limit raises and other new forms of credit. Combine this with shell companies and other white collar fraud, tax evasion, or money laundering techniques and you have a big, ugly ball of wax.
“Although PCI is helping”
Huh? No, PCI is only helping the credit card companies and issuing banks. It’s not making anything more secure. My favorite story that describes the problem well here is food testing standards. The companies that purchase meat set their own standards for testing controls. One of the more polished places that sells meat all over the country (no, not Walmart, another big chain — but this probably also applies to Walmart) has a huge list of controls: more than any others. However, their meat still lets some tainted meat through the process. How? Because the controls are too prescriptive and broad-reaching. If you compared their long list of controls to the short list of a local grocery that gets less tainted meat — you would notice that the local grocery specifies more detail that leads to less tainted meat specific to their region: with knowledge of local issues that would affect meat in their specific area.
And thus, the difference between compliance and risk management is exactly the same as the major countrywide chain vs. the local grocery. We do need multiple controls (perhaps even a long list), but they need to be tailored. If you are dressing up super models, you don’t hand them XS, SM, M, and L clothing. You don’t even hand them size 0,2,4,6. You tailor their fashion specific to the model’s body. The concept of L1-4 Merchants is retarded. The requirements do not fit the environments that they intend to protect. Even with alternate and compensating controls PCI DSS, COBIT, and even ISO 27k or FISAP miss the fundamental truth of the matter: they are not a good fit for any one organization.
Very few information security leaders want to get rigor around risk management, and this is a major problem in our industry.
“Any other ideas?”
We could really use enforced information sharing. It’s always going to be litigation that is going to force this. Attorney Generals and the FTC need to assemble teams to start external performance accounting (and tie it into internal audit at the worst performing companies) around data breach notification laws. They need to find out who is not reporting and fine them. We need to start rewarding data breach whistleblowers.
Right now most companies do not know about their breaches because most choose not to know. They ignore ransom letters that threaten or prove the potential of a data breach by hitting the `delete’ key in their email. They turn off logging (when they should be turning up logging and centralizing it). They put up walls around auditors and assessors. They take measures to ensure that anyone who has seen a defacement (or other evidence of a breach) is silenced and the evidence destroyed. They grab disks on servers that have been breached — and instead of doing forensics — they scrub the data. These people are classic paper shredders.
Look at the history of what companies have done to vulnerability researchers who disclose application security issues — responsible or not. “That’s not exploitable — it’s just a cosmetic crash! We’re rolling out a new version tomorrow that is totally different than the current code anyways”.
A very good practical discussion. A nice change in the cybersecurity debate!
-I think that it is key to change the liability model for cards. The only way you introduce more secure models for payment (for example smart cards rather than mag stripe) is to make it cost money for companies like VISA rather than letting them write off all the fraud they have know.
-For contracts with Govt entities, enforce through contract law that they are liable if govt information is exposed on their own networks. Yes…this will take awhile, but worth the try.
Jessee-
A good idea indeed.
I’ve seen performance bonuses tied to audits before with some success, but there’s the catch 22… you need the defined standards you mention in order to measure against. For security, how do we:
-define requirements that don’t suck (PCI!) that we can measure against?
-demonstrate that those requirements actually reduce the probability or impact of an incident taking place in proportion to their cost of implementation
-quantify the real and complete cost of an incident? This can range from really easy (fraud involving tangible losses) to really hard (fraudlent access to IP)?
-justify the investment (would the security team indemnify the business unit against breach and response costs if they meet and maintain the minimum standards)
If we can’t do the above, can we really make the sale?
Yeah, but it’ll be a fantasy for a while..lot of bureaucratic humps to work through..
>>
Enforce a shared-costs model for credit card brands. Right now, banks and merchants carry nearly all of the financial costs associated with credit card fraud. Although PCI is helping, it doesn’t address the fundamental weaknesses of the current magnetic stripe based system. Having the card brands share in losses will increase their motivation to increase the pace of innovation for card security.
<< By card brand, I assume you mean the network (e.gg., VISA) and not the bank that issued the card. If that is the case (and really, even if you refer to the issuing bank), how could they be liable for losses? It is the bank that allows the transaction and the merchant who initiates it and the cardholder (or not!) who requests it. Placing liability on the network is akin to saying the road is liable for a car accident. It just doesn't feel right. Anyway, it doesn't reduce fraud one iota, (optimistic view) it merely incents more players to be interested in solving it or (pesimistic view) dilutes the impact so that it is more tollerable. Like it or not, fraud is and always has been part of business, and the parties to the transaction have always made accomodations for fraud. Why isn't that model viable still?
Jesse-
I freaking love that idea!
Having incident response costs borne by the the business unit that is breached/responsible seems like a great idea. Tying it to performance bonuses seems like an idea worth exploring as well. Maybe a little $$$ motivation for stopping people in the hall who don’t have there badge for example.
It makes me think that security groups inside a company should act in a consultant/regulator roll. Enforce a minimum rule set, that each department must live up to. Sell added security to departments as needed/affordable.
Figuring out how to tie the money to security performance without rolling a giant FUD ball is key and difficult.
How about making software suppliers provide dollar-backed warranty against security flaws? True, it would stop some micro-isvs from selling to banks. On the other hand, it would stop backs buying from micro-isvs.